(RADIATOR) FramedGroup Proxy Handling With Framed-IP-Address=255.255.255.254
Jason Haltom
jasonh at ideateksystems.com
Fri Dec 16 14:55:46 CST 2005
(Bacground)
Prety much what we do is every realm is assigned a FramedGroup, weather
the <Client> has a FramedGroupBaseAddress or not. If there is no
FramedGroupBaseAddress we just get an error in our logs and the NAS or
other proxy radius(which is between us and another companies NAS)
handles the IP. That way our client’s users and our users can pass
between different all these NAS boxes without a problem.
(Problem)
We are acting as a proxy between a client’s equipment and their radius.
We like to have Radiator handle our IP assignments (via FramedGroup) but
our client likes to have the NAS handle the IPs. This is a dialup/ISDN
setup, some ISDN users do have a sticky IP assigned by our client’s
radius. Our client’s radius always hands out a Framed-IP-Address. If
the user does not have a sticky IP assigned to them the radius sends a
Framed-IP-Address=255.255.255.254. According to what they have told me,
this is done to inform the NAS that is should handle IP assignment. We
have no problems with this client’s NASs with this setup, however, due
to the way everything else is setup, any users that belonged to this
client that connected to one of our NAS boxes was unable to logon
because they were assigned an IP of 255.255.255.254 and Radiator passed
it on to the NAS, but the NAS did not know what to do (as it is not
setup to had out IPs) with it so it gave the user that address.
I tried using several hooks to work around this and could never get any
of them to work.
(Fix)
I updated the “handle_framedgroup” function in Configurable.pm to handle
these 255.255.255.254 address. If there is a Framed-IP-Address and it
is NOT 255.255.255.254 then Radiator acts as it always has. However, if
the Framed-IP-Address is 255.255.255.254 the function will act as if the
address is not assigned at all and hand out an IP based on the
FramedGroupBaseAddress assignment. (Note for the sanity of anyone who
does not know this: This function is only run when there is a
FramedGroupBaseAddress assigned)
I am not sure if this is anything useful to anyone else, but it may be
handy to anyone with a goofy setup like we have. This change should
only effect people who are a proxy server using FramedGroup and process
255.255.255.254 addresses from another server. (If I am wrong please let
me know).
Included below is a snip from our radius config file and the changed
function mentioned above.
Thanks,
Jason Haltom
(Here is a snip from our radius.cfg file)
[radius.cfg]
##-----------------AUTHBYs
<AuthBy SQL>
Identifier FilterAndAccounting
{removed all the sql stuff as it is not needed for the example}
</AuthBy>
<AuthBy RADIUS>
Identifier PixiusRad
<Host 64.39.212.132>
Secret {removed}
AuthPort 1645
AcctPort 1646
</Host>
<Host 209.173.229.160>
Secret {removed}
AuthPort 1645
AcctPort 1646
</Host>
LocalAddress 12.19.114.3
StripFromRequest NAS-IP-Address
AddToRequest NAS-IP-Address=12.19.114.3
AddToReplyIfNotExist Idle-Timeout = 1800
AddToReplyIfNotExist Session-Timeout = 18000
</AuthBy>
##-----------------CLIENTs
<Client 12.19.117.3>
Description Portmaster
DefaultRealm pxs
FramedGroupBaseAddress 12.19.117.100
FramedGroupBaseAddress 12.19.117.150
FramedGroupBaseAddress 12.19.117.200
NasType Portmaster3
Secret {removed}
</Client>
<Client 24.249.116.4>
Description JC dialup POP run by pxs
Secret {removed}
DefaultRealm pxs
</Client>
##-----------------REALMs
<Realm pxs>
AuthByPolicy ContinueWhileAccept
RewriteUsername s/\@pxs//
AuthBy PixiusRad
SessionDatabase sessionDB
MaxSessions 2
FramedGroup 2
AuthLog globalauthlog
</Realm>
<Realm kansasi.net>
AuthByPolicy ContinueWhileAccept
AuthBy FilterAndAccounting
Description kansasi.net realm
FramedGroup 2
MaxSessions 2
PasswordLogFileName logs/kansasi-pass.log
RejectHasReason
SessionDatabase sessionDB
AuthLog globalauthlog
</Realm>
(Here is the changed function with comments on the change area)
[ Configurable.pm]
#####################################################################
# This is to handle FramedGroup Realm request or Framed-Group
# user attribute
# it takes return packet, group value and packet flag as parameters.
sub handle_framedgroup
{
my ($self, $p, $value) = @_;
##----Mod by JMH to allow Radiator to act as the NAS if it is a proxy to
assign an IP address.
#What to do if there is already an IP address
if( defined
$p->{rp}->getAttrByNum($Radius::Radius::FRAMED_IP_ADDRESS))
{
#If there is a framed IP address and if it is not an RFC
address then return as normal.
#If it is an RFC then allow FramedGroup to assign an address as it is
acting as the NAS in the aspect of IP handling.
return if(
$p->{rp}->getAttrByNum($Radius::Radius::FRAMED_IP_ADDRESS) ne
"255.255.255.254" );
#Notify the debug logs that we ignored an address.
$self->log($main::LOG_DEBUG, "Ignored Framed-IP-Address",
$p);
}
##----END of Mod -- see below for old code.
# Dont do this if there is already an IP address
# return if defined $p->{rp}->getAttrByNum
# ($Radius::Radius::FRAMED_IP_ADDRESS);
##----End of old code.
$self->log($main::LOG_DEBUG,
"FramedGroup $value address is being assigned",
$p);
# Figure out an address to allocate
my $base = $p->{Client}->{FramedGroupBaseAddress}[$value];
if (!defined $base)
{
$self->log($main::LOG_WARNING,
"There is no FramedGroupBaseAddress defined
for a Framed-Group of $value. No address will be allocated", $p);
return;
}
if ($p->{Client}->{FramedGroupMaxPortsPerClassC} == 0)
{
$self->log($main::LOG_WARNING,
"FramedGroupMaxPortsPerClassC is 0. No
address will be allocated", $p);
return;
}
my @base = split(/\./, $base);
my $port = $p->getAttrByNum($Radius::Radius::NAS_PORT);
# Adjust port number by subtracting an offset. Cisco ISDN port
numbers start
# at a silly number
$port -= $p->{Client}->{FramedGroupPortOffset}
if $port > $p->{Client}->{FramedGroupPortOffset};
# Compute octet 4 of the IP address
my $o4 = $base[3] + ($port %
$p->{Client}->{FramedGroupMaxPortsPerClassC});
# Compute octet 3 of the IP address
my $o3 = ($base[2] + int($port /
$p->{Client}->{FramedGroupMaxPortsPerClassC})) % 256;
$p->{rp}->changeAttrByNum($Radius::Radius::FRAMED_IP_ADDRESS,
"$base[0].$base[1].$o3.$o4");
}
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/204 - Release Date:
12/15/2005
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20051216/a55985c6/attachment.html>
More information about the radiator
mailing list